Tuesday, February 12, 2013

Security Training? Seriously.

It is no secret that many CSO's acknowledge the inevitability of attacks penetrating security defenses. You are all challenged with enabling the user community to participate in security and to make healthy security decisions on their own. The continuous training of end-users on the latest security issues should be a fundamental element of every security strategy to ward off security incidents.

According to Wombat Security, 48% of organizations report difficulty in funding security training programs and 44% report difficulty encouraging employees to take security seriously. This is an unacceptable position in these days of mobile and cloud computing that places so much of the business beyond the protective reach of your IT and security teams.

Perhaps it is time for organizations to re-think their approach to security training. It is not a matter of sitting through an annual seminar lecture, or being forced to read policy documents and sign security pledges. CSOs love activating business users for a healthy business - integrating security training with employee education is consistent with that mission. With that in mind, here are three thoughts that may help you with a security training program.

1. Work with applications teams and human resources to embed security awareness into the business. Users are just not into security training for security's sake. For instance, you could allow cloud-based application training to include a few modules on mobile security. Users learn how to do their business better and improve their security awareness too!

2. Design metrics into the security training program. Your executive team will want to know how an investment in security training will help manage risk and drive the business - so build in measurements to help manage the program! For example, compare security trained and un-trained users on the ability to recognize phish messages, redirections to rogue websites, risky applications, etc. You should expect that trained users will be less apt to be duped by new threats.

3. Include a few security best practices that are designed for home use. Face it, most of your user base have families with a younger generation that uses apps that your employees know little about. Including security awareness tips designed for home appeal may provide additional incentive for your users to learn a bit more about security issues.

Finally, be careful about relying too heavily on “test moments”, where you capitalize on a security incident as justification to drive home security messages. While these are important, and you need to help users understand what they may have done more securely, you also want to keep your focus ahead of the curve and next attack.

Good luck!

1 comment:

  1. Hi Eric. We do all that, and more, through "NoticeBored". I would also suggest running the awareness program like a marketing program e.g. be employee rather than security oriented, use strong branding, segment the audience and use multiple media (not just IT multimedia). Keep the program rolling all year long too. You hinted at the pointlessness of an annual security lecture to the troops (one of my bugbears) so why not have a month-by-month plan, covering different aspects of information security each time, then moving on to the next - a good way to re-energize and re-focus the program 12 times a year, while at the same time gradually building the security culture (something inevitably takes time).

    Kind regards,
    Gary Hinson